Privacy, Security & Compliance

This section provides information on Kudos Travel Technology’s application security and compliance.

Application Security & Compliance

Data Encryption at Rest
Data Encryption in Transit
Vulnerability & Penetration Test (weekly)
ASV External Scans (monthly)
Advanced threat detection via AWS GuardDuty
SAML2 based SSO support
PCI DSS v3.2.1

Organisational Security

Kudos' security measures go far beyond securing just our applications. We have a variety of security measures in place across the company – built with best practices in mind and customised to the Kudos Travel Technology environment.

Team

We have a dedicated security team focused on keeping our business and clients protected. In addition to investing in specialist training, we’re also a corporate member of the Chartered Institute of Information Security (CIIS) to ensure our team is continually developing their skills and knowledge.

Policies

We maintain a variety of policies including an Information Security Policy as part of our Information Security Management System (ISMS).

Certifications

Kudos holds a Certificate of Compliance for PCI DSS, version 3.2.1 (Level 1) under the category SAQ D for Service Providers for the protection of Cardholder Data (CD).

What is PCI DSS?

The Payment Card Industry Data Security Standards (PCI DSS) is a proprietary information security standard designed to ensure that companies processing, storing or transmitting payment card information maintain a secure environment.

The standard was created to increase controls around cardholder data to reduce credit card fraud. The PCI DSS applies to credit cards from major card brands, including Visa, MasterCard, American Express, Discover, and JCB.

A third-party PCI Qualified Security Assessor (QSA) assesses company systems and processes on an annual basis and issues an Attestation of Compliance (AOC).

Qualified Security Assessor (QSA)

A third-party PCI Qualified Security Assessor (QSA) assesses company systems and processes on an annual basis and issues an Attestation of Compliance (AOC).

A Qualified Security Assessor is an individual bearing a certificate that has been provided by the PCI Security Standards Council. This certified person can audit merchants for Payment Card Industry Data Security Standard (PCI DSS) compliance.

PCI DSS

Credit Cards within the Travel Platform are managed securely to ensure PCI DSS compliance via our partnership with Cloud Security platform TokenEx which is PCI DSS Level 1.

Infrastructure

Kudos' client data is stored in the highly secure AWS cloud-hosted data centres located in multiple regional availability zones to support the Kudos Travel Platform. The AWS data centre facilities use innovative secure architectural engineering methodologies, built from decades of experience designing, constructing, and operating large-scale highly reliable commercial data centres which are directly applied to Kudos' platform, and infrastructure.

Employee Awareness Scheme

We believe in modifying behaviours for the better, not just ticking a compliance box with annual online training. This is why we provide in-house role-specific training to all employees, new joiners and relevant contractors.

Access Control

We implement role-based access control at Kudos. This means that only a limited number of our staff have access to your data, based on their job role.

Business Continuity

Both our application and support services have a variety of measures in place to ensure we can deliver a high-availability service.

Third-Party Vendors

We perform a thorough security audit and subsequent risk assessment on all vendors that will host confidential business or client data. We also use continuous security monitoring to keep track of our vendors.

Technical Security

We have a wide range of technical security measures in place, from advanced Endpoint Detection & Response (EDR), to cloud security and monitoring.

We have a thorough compliance program in place. Please see an overview of our data protection measures here.